PFS: Probabilistic filter scheduling against distributed denial-of-service attacks

Dongwon Seo; Heejo Lee; Adrian Perrig

doi:10.1109/LCN.2011.6114645

PFS: Probabilistic filter scheduling against distributed denial-of-service attacks

Dongwon Seo, Heejo Lee, Adrian Perrig

Department of Computer and Radio Communications Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

13 Citations (Scopus)

Abstract

Distributed denial-of-service (DDoS) attacks continue to pose an important challenge to current networks. DDoS attacks can cause victim resource consumption and link congestion. A filter-based DDoS defense is considered as an effective approach, since it can defend against both attacks: victim resource consumption and link congestion. However, existing filter-based approaches do not address necessary properties for viable DDoS solutions: how to practically identify attack paths, how to propagate filters to the best locations (filter routers), and how to manage many filters to maximize the defense effectiveness. We propose a novel mechanism, termed PFS (Probabilistic Filter Scheduling), to efficiently defeat DDoS attacks and to satisfy the necessary properties. In PFS, filter routers identify attack paths using probabilistic packet marking, and maintain filters using a scheduling policy to maximize the defense effectiveness. Our experiments show that PFS achieves 44% higher effectiveness than other filter-based approaches. Furthermore, we vary PFS parameters in terms of the marking probability and deployment ratio, and find that 30% marking probability and 30% deployment rate maximize the attack blocking rate of PFS.

Original language	English
Title of host publication	Proceedings of the 36th Annual IEEE Conference on Local Computer Networks, LCN 2011
Pages	9-17
Number of pages	9
DOIs	https://doi.org/10.1109/LCN.2011.6114645
Publication status	Published - 2011
Event	36th Annual IEEE Conference on Local Computer Networks, LCN 2011 - Bonn, Germany Duration: 2011 Oct 4 → 2011 Oct 7

Publication series

Name	Proceedings - Conference on Local Computer Networks, LCN

Other

Other	36th Annual IEEE Conference on Local Computer Networks, LCN 2011
Country	Germany
City	Bonn
Period	11/10/4 → 11/10/7

Keywords

DDoS attack defense
Network security
filter scheduling
router-based filtering

ASJC Scopus subject areas

Computer Networks and Communications
Hardware and Architecture

Access to Document

10.1109/LCN.2011.6114645

Fingerprint Dive into the research topics of 'PFS: Probabilistic filter scheduling against distributed denial-of-service attacks'. Together they form a unique fingerprint.

Cite this

Seo, D., Lee, H., & Perrig, A. (2011). PFS: Probabilistic filter scheduling against distributed denial-of-service attacks. In Proceedings of the 36th Annual IEEE Conference on Local Computer Networks, LCN 2011 (pp. 9-17). [6114645] (Proceedings - Conference on Local Computer Networks, LCN). https://doi.org/10.1109/LCN.2011.6114645

PFS : Probabilistic filter scheduling against distributed denial-of-service attacks. / Seo, Dongwon; Lee, Heejo; Perrig, Adrian.

Proceedings of the 36th Annual IEEE Conference on Local Computer Networks, LCN 2011. 2011. p. 9-17 6114645 (Proceedings - Conference on Local Computer Networks, LCN).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Seo, D, Lee, H & Perrig, A 2011, PFS: Probabilistic filter scheduling against distributed denial-of-service attacks. in Proceedings of the 36th Annual IEEE Conference on Local Computer Networks, LCN 2011., 6114645, Proceedings - Conference on Local Computer Networks, LCN, pp. 9-17, 36th Annual IEEE Conference on Local Computer Networks, LCN 2011, Bonn, Germany, 11/10/4. https://doi.org/10.1109/LCN.2011.6114645

@inproceedings{64e5a7d763b947f289e6ac2601d538f8,

title = "PFS: Probabilistic filter scheduling against distributed denial-of-service attacks",

abstract = "Distributed denial-of-service (DDoS) attacks continue to pose an important challenge to current networks. DDoS attacks can cause victim resource consumption and link congestion. A filter-based DDoS defense is considered as an effective approach, since it can defend against both attacks: victim resource consumption and link congestion. However, existing filter-based approaches do not address necessary properties for viable DDoS solutions: how to practically identify attack paths, how to propagate filters to the best locations (filter routers), and how to manage many filters to maximize the defense effectiveness. We propose a novel mechanism, termed PFS (Probabilistic Filter Scheduling), to efficiently defeat DDoS attacks and to satisfy the necessary properties. In PFS, filter routers identify attack paths using probabilistic packet marking, and maintain filters using a scheduling policy to maximize the defense effectiveness. Our experiments show that PFS achieves 44% higher effectiveness than other filter-based approaches. Furthermore, we vary PFS parameters in terms of the marking probability and deployment ratio, and find that 30% marking probability and 30% deployment rate maximize the attack blocking rate of PFS.",

keywords = "DDoS attack defense, Network security, filter scheduling, router-based filtering",

author = "Dongwon Seo and Heejo Lee and Adrian Perrig",

year = "2011",

doi = "10.1109/LCN.2011.6114645",

language = "English",

isbn = "9781612849287",

series = "Proceedings - Conference on Local Computer Networks, LCN",

pages = "9--17",

booktitle = "Proceedings of the 36th Annual IEEE Conference on Local Computer Networks, LCN 2011",

note = "36th Annual IEEE Conference on Local Computer Networks, LCN 2011 ; Conference date: 04-10-2011 Through 07-10-2011",

}

TY - GEN

T1 - PFS

T2 - 36th Annual IEEE Conference on Local Computer Networks, LCN 2011

AU - Seo, Dongwon

AU - Lee, Heejo

AU - Perrig, Adrian

PY - 2011

Y1 - 2011

N2 - Distributed denial-of-service (DDoS) attacks continue to pose an important challenge to current networks. DDoS attacks can cause victim resource consumption and link congestion. A filter-based DDoS defense is considered as an effective approach, since it can defend against both attacks: victim resource consumption and link congestion. However, existing filter-based approaches do not address necessary properties for viable DDoS solutions: how to practically identify attack paths, how to propagate filters to the best locations (filter routers), and how to manage many filters to maximize the defense effectiveness. We propose a novel mechanism, termed PFS (Probabilistic Filter Scheduling), to efficiently defeat DDoS attacks and to satisfy the necessary properties. In PFS, filter routers identify attack paths using probabilistic packet marking, and maintain filters using a scheduling policy to maximize the defense effectiveness. Our experiments show that PFS achieves 44% higher effectiveness than other filter-based approaches. Furthermore, we vary PFS parameters in terms of the marking probability and deployment ratio, and find that 30% marking probability and 30% deployment rate maximize the attack blocking rate of PFS.

AB - Distributed denial-of-service (DDoS) attacks continue to pose an important challenge to current networks. DDoS attacks can cause victim resource consumption and link congestion. A filter-based DDoS defense is considered as an effective approach, since it can defend against both attacks: victim resource consumption and link congestion. However, existing filter-based approaches do not address necessary properties for viable DDoS solutions: how to practically identify attack paths, how to propagate filters to the best locations (filter routers), and how to manage many filters to maximize the defense effectiveness. We propose a novel mechanism, termed PFS (Probabilistic Filter Scheduling), to efficiently defeat DDoS attacks and to satisfy the necessary properties. In PFS, filter routers identify attack paths using probabilistic packet marking, and maintain filters using a scheduling policy to maximize the defense effectiveness. Our experiments show that PFS achieves 44% higher effectiveness than other filter-based approaches. Furthermore, we vary PFS parameters in terms of the marking probability and deployment ratio, and find that 30% marking probability and 30% deployment rate maximize the attack blocking rate of PFS.

KW - DDoS attack defense

KW - Network security

KW - filter scheduling

KW - router-based filtering

UR - http://www.scopus.com/inward/record.url?scp=84862922646&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84862922646&partnerID=8YFLogxK

U2 - 10.1109/LCN.2011.6114645

DO - 10.1109/LCN.2011.6114645

M3 - Conference contribution

AN - SCOPUS:84862922646

SN - 9781612849287

T3 - Proceedings - Conference on Local Computer Networks, LCN

SP - 9

EP - 17

BT - Proceedings of the 36th Annual IEEE Conference on Local Computer Networks, LCN 2011

Y2 - 4 October 2011 through 7 October 2011

ER -